Blog

Lead generation in compliance with GDPR: practical instructions and tips

Written by Ilari | Dec 20, 2022 9:18:15 AM

Leads are a requirement for success for any e-commerce or web-based business, and entrepreneurs often go to great lengths to generate them. However, in the rush of lead generation, one might forget that it is regulated by the EU's general data protection regulation, GDPR.

It doesn't matter how you generate leads: Contact form, contest, lead magnet, survey, all process personal data, so complying with GDPR is mandatory. At a minimum, this means that you must obtain consent to the use of the data and describe for what purpose you intend to use it.

However, when it comes to complying with the law, the old saying "better too much than too little" applies. Therefore, when it comes to generating leads you should play it safe. 

By reading this article, you will learn what GDPR and ePrivacy are and how to handle lead generation in compliance with the GDPR's requirements.

This should not be taken as legal advice, but with these tips you will ensure that you don't have to do things the hard way later.

Why does GDPR regulate lead generation?

The purpose of the GDPR is to protect EU citizens from the illegal collection, use and sale of their personal data. As lead generation requires the collection of data, therefore, you must comply with the GDPR.

For example, one of the most common lead generation tools, the newsletter subscription form, collects personal information from your customers. It could be just their e-mail address; that is considered personal data.

According to the law, personal data is any information based on which a person can be identified directly or indirectly. 

Examples of personal data:

  • name
  • e-mail address (personal, not general for the company like info @ company.com)
  • home address
  • telephone number
  • IP address

Therefore, lead generation in accordance with the GDPR applies to any form, lead magnet, or webinar. 

GDPR affects any company dealing with EU citizens, so it doesn't matter whether your business is domestic or international.

As a rule of thumb, you should play it safe and ensure that your lead generation efforts are in accordance with the GDPR, whatever your target market is.

What are GDPR and ePrivacy?

The European Union GDPR, General Data Protection Regulation, regulates how and why personal data may be collected and stored.In addition, the regulation defines the rights of an individual to obtain and delete their data.

A regulation is the EU's most robust means of regulating the laws of its member countries, and it is valid as such in every member country. 

GDPR in a nutshell 🥜

GDPR requires that personal data be processed:

  • appropriately and according to the law
  • for a specific and lawful purpose
  • for the previously stated purpose alone

A company may process personal data if:

  • It has gained the consent of the person
  • It has a contractual obligation to do so
  • It is trying to protect the person's best interests

However, the company's use of the data cannot interfere with the person's fundamental rights and freedoms.

Individuals must also be given clear information about who processes their personal data and why.

GDPR is particularly strict in that data processing is based on consent. Make sure the person understands what they are agreeing to.

 This means that the person must give consent:

  • voluntarily
  • Individually
  • Consciously
  • Unequivocally

This must be done by explicitly expressing consent, such as ticking a box or signing a form.

The policy to which the person gives consent must be presented in clear and understandable language.

The person must also be given the opportunity to withdraw consent at any time.

Remember that data can only be processed for the purposes for which consent has been given.

ePrivacy

In addition to GDPR, online activities and communication are regulated by the data protection directive ePrivacy. It directs the use of cookies and e-mail marketing, regardless of whether personal data is processed or not.

ePrivacy is a directive that instructs the policies of the EU member states and is often referred to as a complementary part of the GDPR. ePrivacy will be made into a regulation, which is a stricter rule than a directive, i.e. it directly defines the law of each member state regarding the matter.

This means that privacy protection will be expanded even further to include all electronic communication, such as e-mail and, for example, the WhatsApp messaging application. In addition, ePrivacy sets uniform rules for cookies and online tracking ( 🍪).

How does this affect your everyday life?

In Finland, the ePrivacy directive is already part of the law on electronic communication services. The law is so strict that there is hardly a need to make any major changes.

So you'll do just fine with the tips in this article. Just make sure that your lead generation is done according to GDPR and ePrivacy. That way you don't have to worry about changes in legislation for a good while.

👉 You can ensure this by contacting us and booking a free appointment with our SuccessGuide

Complying with GDPR in lead generation (checklist)

Here are the most important steps you need to take to comply with GDPR and ePrivacy. 

1. Always gain consent

The easiest and simplest way to comply with the GDPR is to always ask for consent to data collection.

No matter what method you use for lead generation: Contact form, downloading a lead magnet, or registering for a webinar. When collecting data, there must be a checkbox to accept your terms and a description of how you will use the data you collect.

In addition to a short description, the form must link to your privacy policy.

2. Tell how and why you collect data

When you collect data, you must be able to prove the legal basis for the data collection if necessary. If you collect leads and plan to use the information you collect for marketing purposes, spell it out clearly in your privacy policy.

Your privacy policy should disclose

  • How data is collected
  • Why data is collected
  • The legal justification for why the data is collected
  • How the information is used
  • Do you sell data (and to whom)
  • How users can opt-out of data collection

Always check your privacy statement with a qualified professional.

3. Keep the Privacy Policy visible and accessible

After you have prepared the privacy statement, make it visible on your website. The privacy policy cannot be hidden in the menu hierarchy; it should be easily found in the main menu or, for example, in the footer.

4. Offer the option to withdraw consent

Although the acquisition of leads requires time and effort, and no one wants to give up the acquired leads, customers must still have the option to opt out at any time.

It can be upsetting, but even more upsetting are the enormous fines for not complying with the GDPR.

5. Keep data safe

Make sure that the data you collect is safe, and state in your privacy policy what steps you take to secure the data. In addtition, disclose your relationship with third-party organizations.

Using cookies in lead generation

Cookies are familiar to all of us because the first thing we notice when browsing the internet is a pop-up asking for cookie consent. Consent is often given without much thought.

However, cookies collect user data, so consent must always be gained.

Cookies are used to track website visitors and collect their information for various purposes, such as retaining login details or the contents of the Shopping Cart, displaying targeted advertisements, or providing information about your website.

Cookies are often divided into four categories:

  • Functional/necessary cookies to ensure that your website works as it should
  • Preferences, that are not strictly necessary
  • Analytics, such as collecting data for Google Analytics
  • Marketing used to target ads

Consent to cookies must be gained, just as in any other use of information: Unambiguously and voluntarily.

Add a pop-up to your site that asks for cookie consent. Include information about what the cookies track and how the collected data is used. Also, add a link to the privacy statement.

Cookiebot is an excellent tool for checking your website's GDPR compliance and implementing customized cookie consent.

Lead generation in compliance with GDPR in competitions and events

Of course, you can also collect leads through various competitions. In these, the same already familiar rules for data collection apply.

You may only collect personal data necessary to organize a draw or competition.

The information you collect may only be used to organize the draw or competition in question, and you must clearly state for what purpose the information will be used and how long it will be stored.

Please note that if you want to use the data for marketing purposes, consent must be requested separately.

Summary 🤝

Lead generation in compliance with the GDPR is mandatory for every company that collects personal data.

If you generate leads, you also collect data, so you need to comply with the GDPR.

GDPR (General Data Protection Regulation) is a regulation to protect EU citizens from the illegal collection, use, and sale of their data. It defines how and why personal data may be collected and stored.

In addition, the regulation stipulates the rights of an individual to obtain and delete their data.

Lead generation in compliance with GDPR:

  1. Always ask for consent
  2. Tell how and why you collect data
  3. Keep your Privacy Policy visible
  4. Offer the option to withdraw consent
  5. Keep data safe

Cookies also collect user data, so cookie consent must always be gained. 


The rule of thumb is to play it safe and utilize help from an expert.


👉 You can get off to a good start by booking a free meeting with our SuccessGuide